dcfldd

Copy a disk to a raw image file and hash the image using SHA256

$ dcfldd if=[/dev/disk_device] of=[file.img] hash=sha256 hashlog=[file.hash]

$ dcfldd if=[/dev/disk_device] of=[file.img] hash=[sha512|sha384|sha256|sha1|md5] hashlog=[file.hash] hashwindow=[1G]

dcfldd [options] [if=]infile [of=]outfile

if=file
    Input file or device (stdin if omitted)

of=file
    Output file or device (stdout if omitted)

bs=n
    Block size in bytes (default 512)

ibs=n
    Input block size

obs=n
    Output block size

hash=[md5|sha1|sha256|sha384|sha512]
    Compute hash during copy (multiple allowed)

hashlog=file
    Log hashes to file (stdin/stdout compatible)

hashwindow=n
    Size for rolling hash buffer (default 512)

verify=[md5|sha1|...]
    Verify output hash against input

hashlist=file
    File of hashes for multi-file verification

oflag=[append|direct|noatime|sync]
    Output file flags (comma-separated)

conv=[noerror|notrunc|sparse]
    Data conversion options

seek=n
    Skip n blocks on output

skip=n
    Skip n blocks on input

progress=n
    Progress update interval in seconds

statusinterval=n
    Status update interval in blocks

log=file
    Log all operations to file

--help
    Display usage summary

-V, --version
    Print version info

dcfldd is a powerful disk imaging tool enhanced from the standard dd command, primarily designed for digital forensics and security auditing. It supports on-the-fly hashing (MD5, SHA1, SHA256, etc.), allowing verification of data integrity during imaging without additional passes. Key features include logging hashes to files, progress indicators, flexible block sizes, and options for direct I/O to minimize caching issues.

Ideal for creating bit-for-bit copies of drives, partitions, or files, dcfldd verifies output against input hashes, supports multiple hash algorithms simultaneously, and provides detailed status updates. It's widely used by law enforcement and cybersecurity professionals to acquire evidence images that are court-admissible due to verifiable integrity.

Unlike basic dd, dcfldd handles errors gracefully with options like noerror, prevents truncation, and logs comprehensive metadata, making it safer for critical operations. Always specify if= and of= explicitly to avoid mistakes.

Extremely dangerous like dd: wrong if/of can destroy data. Use conv=noerror,notrunc for safety. Direct I/O (oflag=direct) may fail on non-block devices. Hashing adds CPU overhead; test on small data first.
Root privileges often required for devices.

dcfldd if=/dev/sda of=image.img hash=sha256 hashlog=hashes.txt conv=noerror notrunc
Images /dev/sda with SHA256 hashing and error tolerance.

dcfldd if=image.img of=/dev/null hash=sha256 verify=sha256
Verifies image integrity without writing output.

Developed in 2003 by Nicholas Harbour at the DoD Cyber Crime Center (DC3) as an improved dd for forensics. Released publicly around 2004; maintained sporadically with versions up to 1.3.4-1 (2010). Focuses on auditability and verification for legal evidence collection.

dd(1), md5sum(1), sha1sum(1)